GoldenEye Ransomware – A New Variant of Petya Ransomware

The creators of Petya ransomware, going by the name of Janus, have come out with a new variant tabbed as GoldenEye ransomware. Continuing with the James Bond theme, the GoldenEye ransomware is almost identical to past versions of Petya and Mischa variants.

Petya Ransomware HistoryThe Petya ransomware emerged on the cybersecurity scene back in March 2016. Typically, when a user becomes infected with ransomware, the malware targets and encrypts files on the victim’s hard drives. By doing this, the malware leaves the operating system working properly. However, Petya takes it to the next level. Instead of encrypting files on the hard drive, the ransomware encrypts portions of the hard drive itself, making the user unable to access anything on the drive, including Windows.

The ransomware is distributed via emails that target human resource departments. The emails contain a Dropbox link to supposed applications that download a file and when executed, install the Petya ransomware on the system.

In May, two months after the release of Petya, the ransomware bundled a second file-encrypting program for cases where it cannot replace a computer’s master boot record to encrypt its file table. Before encrypting the computer’s master file table (MFT), the ransomware replaces the computer’s master boot record (MBR), which contains a code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves the computer unable to boot.

However, in order to overwrite the MBR and the computer it infected, the malware needs to obtain administrator privileges. In previous versions of Petya, if it failed to obtain administrator privileges, the infection routine stopped. The latest variant, dubbed Mischa, installs another ransomware program that begins to encrypt users’ files directly, which doesn’t require administrator privileges.

In summary, Petya starts off by distributing the ransomware through an email posing as a job application. Once executed, the fake file attempts to download Petya, and if that fails, it installs Mischa. This dynamic duo ensures that the cybercriminals will encrypt your hard drive, leaving you unable to use your system until you have paid the ransom.

GoldenEye Ransomware
Like the earlier version of Petya, the GoldenEye ransomware is distributed via emails. Posing as job applications, the emails include two file attachments that are supposedly resumes and have a subject starting with the word Bewerbung. As you can see in the email below, GoldenEye is targeting German users.

One of the attachments is a fake resume that is used to convince members of the human resource department that the email is legitimate. The second attachment is an Excel spreadsheet, which is the installer for the GoldenEye ransomware that contains a malicious macro. In the spam emails that have been circulating over the past couple of days, the following Excel names have been observed to be spreading GoldenEye.

Wiebold-Brewerbung.xls

Meinel-Brewerbung.xls

Seidel-Brewerbung.xls

Wust-Brewerbung.xls

Born-Brewerbung.xls

Schlosser-Brewerbung.xls

When a user clicks on the ‘Enable Content’ button, the macro will launch and save the embedded file into an executable file in the temp folder. Once the file has finished being created, the malware will automatically launch, beginning the encryption process on the computer.

Here is where GoldenEye differs from the earlier combination of the Petya/Mischa version. Instead of running Petya first and trying to gain administrative privileges to overwrite the MBR and then running Mischa to encrypt files, GoldenEye does the opposite.

Starting just like any other ransomware, GoldenEye encrypts the user’s files and appends a random 8-character extension. This is the Mischa part of the ransomware. Shortly after displaying the ransom note, GoldenEye enters the Petya part of the encryption process. The ransomware forcibly reboots the user’s computer and enters the stage where it starts encrypting the user’s hard drive MFT which makes it impossible to access any files on the hard drive. This process is masked by a fake ‘check disk (chkdsk)’ screen as seen below.

Once this process ends, you will see a new ransom screen, using yellow-colored text hence the name ‘GoldenEye.’ The GoldenEye ransom note is shown below.

The GoldenEye ransomware has seen incredible numbers compared to the Locky ransomware, which has been one of the most successful ransomware to-date. Last Wednesday, (December 7, 2016) GoldenEye infected 160 users in Germany alone while Locky’s best day over the last month infected 375 users across 30 countries. The ransom for the encryption key is currently set at 1.33 bitcoinswhich equates to roughly $1,000.